Compliance Risk Assessment Matrix - New York

Ready to Edit

COMPLIANCE RISK ASSESSMENT MATRIX -- NEW YORK

Company Name: [________________________________]
Assessment Period: [__/__/____] through [__/__/____]
Assessment Owner: [________________________________] (Chief Compliance Officer)
Approved By: [________________________________] (General Counsel / Audit Committee)
Document Version: [____]

Executive Summary
Purpose and Objectives
Scope and Applicability
Regulatory Framework
Methodology Overview
Risk Taxonomy
Scoring Rubric
Roles and Responsibilities
Data Sources and Inputs
New York-Specific Risk Categories
Risk Assessment Matrix
Heat Map and Prioritization
Remediation Planning
Deliverables and Outputs
Review Cadence and Triggers
Governance and Oversight
Appendix A: Definitions
Appendix B: New York Regulatory Risk Inventory
Sources and References

1. EXECUTIVE SUMMARY

This Compliance Risk Assessment Matrix ("Matrix") provides a structured framework for identifying, assessing, and prioritizing compliance risks facing [________________________________] ("Company") with respect to operations in or connected to the State of New York. The Matrix aligns with the DOJ Evaluation of Corporate Compliance Programs, the COSO ERM Framework, and USSG 8B2.1.

Key Findings Summary:

Risk Level	Number of Risks	Top Risk Area
Critical (Red)	[____]	[________________________________]
High (Orange)	[____]	[________________________________]
Medium (Yellow)	[____]	[________________________________]
Low (Green)	[____]	[________________________________]

2. PURPOSE AND OBJECTIVES

This Matrix serves to:

Identify and catalog compliance risks across all business functions operating in New York
Assess inherent risk levels based on likelihood and impact
Evaluate the effectiveness of existing controls and calculate residual risk
Prioritize remediation efforts based on risk severity and velocity
Satisfy DOJ and USSG 8B2.1 expectations for periodic risk assessment
Address New York's heightened regulatory environment, including DFS cybersecurity requirements and the SHIELD Act
Inform the Board/Audit Committee of the compliance risk profile

3. SCOPE AND APPLICABILITY

This assessment covers:

☐ All business units, departments, and functions with New York operations or New York-resident customers/employees
☐ Compliance with federal laws applicable to New York operations
☐ Compliance with New York State and New York City statutes and regulations
☐ Third-party and vendor compliance risks
☐ Emerging risks (technology, regulatory changes, market dynamics)
☐ DFS-regulated entities: enhanced cybersecurity risk assessment per 23 NYCRR Part 500

4. REGULATORY FRAMEWORK

4.1 Federal Standards

U.S. Sentencing Guidelines 8B2.1: Periodic risk assessment and seven minimum compliance program elements.
DOJ Evaluation of Corporate Compliance Programs (September 2024 Update): Evaluates program design, resourcing, and effectiveness in practice.
SOX Section 404 / COSO 2013: ICFR management assessment for public companies.
COSO ERM Framework (2017): Five components for enterprise risk management.

4.2 New York State Law

NY SHIELD Act (N.Y. Gen. Bus. Law 899-aa, 899-bb): Requires any person or business that owns or licenses computerized data including private information of a New York resident to implement reasonable safeguards to protect the security, confidentiality, and integrity of private information. Required safeguards include administrative safeguards (designated security coordinator, risk identification, employee training, vendor management), technical safeguards (network/software risk assessment, intrusion detection, key controls testing), and physical safeguards (information storage/disposal, unauthorized access prevention). Breach notification within the most expedient time reasonable; notification to NY AG, DFS, and Division of State Police if 500+ residents affected. Civil penalties up to $5,000 per violation with no cap.
23 NYCRR Part 500 (DFS Cybersecurity Regulation): Applies to entities regulated by the NY Department of Financial Services. Requires written cybersecurity policy, CISO appointment, penetration testing, risk assessment, multi-factor authentication, encryption, incident response plan, third-party service provider security policy, and annual Board certification. Amended in 2023 with additional requirements phased through 2025. Material penalties for non-compliance.
N.Y. Gen. Bus. Law 349: Prohibits deceptive acts or practices in the conduct of any business, trade, or commerce. Private right of action; minimum $50 statutory damages.
N.Y. Gen. Bus. Law 350: Prohibits false advertising. Private right of action with treble damages possible.
N.Y. Exec. Law 296 (Human Rights Law): Prohibits employment discrimination based on age, race, creed, color, national origin, sexual orientation, gender identity, military status, sex, disability, predisposing genetic characteristics, familial status, marital status, and domestic violence victim status. Administered by the Division of Human Rights; no damages cap.
N.Y. Lab. Law 201-g: Requires employers to maintain a sexual harassment prevention policy and conduct annual interactive training.
N.Y. Lab. Law 740: Whistleblower protections; prohibits retaliation for reporting violations of law that create a substantial and specific danger to public health or safety, or that constitute healthcare fraud.

4.3 New York City Law (if applicable)

NYC Human Rights Law (NYC Admin. Code 8-101 et seq.): Among the broadest anti-discrimination statutes in the nation. Covers additional protected categories and has lower standing requirements.
NYC Local Law 144 (Automated Employment Decision Tools): Requires bias audits for AI/automated tools used in hiring or promotion decisions for NYC positions.
NYC Conflicts of Interest Law (NYC Charter Ch. 68): Gift restrictions and ethical standards for City public servants.

5. METHODOLOGY OVERVIEW

5.1 Assessment Approach

Phase 1 -- Risk Identification: Catalog all compliance obligations through regulatory inventories, incident data, audit findings, and stakeholder interviews.

Phase 2 -- Risk Assessment: Evaluate inherent likelihood and impact; assess control effectiveness; calculate residual risk.

Phase 3 -- Prioritization: Rank risks by residual score; identify trends; flag emerging risks.

Phase 4 -- Remediation Planning: Action plans for high/critical risks with owners, deadlines, and metrics.

5.2 Assessment Cycle

Full Assessment: Annually (Q1 of each fiscal year)
Interim Updates: Triggered by material events (see Section 15)
Continuous Monitoring: KRIs tracked monthly/quarterly
DFS-Regulated Entities: Annual cybersecurity risk assessment per 23 NYCRR 500.09

6. RISK TAXONOMY

Category Code	Risk Category	Key NY Regulators
PRIV	Data Privacy and Security	NY AG, DFS
CYBR	Cybersecurity (DFS-Regulated)	DFS
EMPL	Employment and EEO	NY DHR, NYC CCHR
CONS	Consumer Protection and Marketing	NY AG
ACOR	Anti-Corruption and Anti-Bribery	DOJ, SEC, NY Ethics Commission
SANC	Sanctions and Export Controls	OFAC, BIS
ANTI	Antitrust and Competition	NY AG, DOJ
FINC	Financial Services Compliance	DFS, SEC, FINRA
RECK	Recordkeeping and Retention	Various
TECH	Technology, AI, and Emerging Risks	NY AG, NYC DCWP
TPRT	Third-Party and Vendor Risk	Various

7. SCORING RUBRIC

7.1 Likelihood Scale (1-5)

Score	Rating	Description
1	Rare	Unlikely in next 12 months; no historical precedent
2	Unlikely	Could occur but not expected; limited precedent
3	Possible	May occur; some precedent or industry trends
4	Likely	Expected to occur; recurring precedent or active enforcement
5	Almost Certain	Expected multiple times; active scrutiny or known deficiency

7.2 Impact Scale (1-5)

Score	Rating	Financial	Regulatory	Operational	Reputational
1	Minimal	< $50K	Informal guidance	Minor disruption	No media attention
2	Minor	$50K-$500K	Warning letter / MRA	Moderate disruption	Local media
3	Moderate	$500K-$5M	Consent order / fine	Significant disruption	Regional/trade media
4	Major	$5M-$50M	Enforcement action / material fine	Severe disruption	National media
5	Severe	> $50M	Criminal prosecution / license revocation	Business-threatening	Sustained national coverage

7.3 Control Effectiveness Scale (1-5)

Score	Rating	Description
1	Nonexistent	No controls in place
2	Weak	Controls unreliable, untested, or inconsistent
3	Basic	Partially effective; gaps in design or operation
4	Strong	Well-designed, consistently applied, periodically tested
5	Mature	Automated, continuously monitored, independently validated

7.4 Residual Risk Calculation

Inherent Risk Score = Likelihood x Impact (1-25)

Control Effectiveness	Adjustment Factor
5 (Mature)	Inherent x 0.20
4 (Strong)	Inherent x 0.40
3 (Basic)	Inherent x 0.60
2 (Weak)	Inherent x 0.80
1 (Nonexistent)	Inherent x 1.00

7.5 Risk Rating Thresholds

Residual Score	Rating	Color	Action Required
15.1 - 25.0	Critical	Red	Immediate remediation; Board notification
10.1 - 15.0	High	Orange	Remediation within 30 days; executive oversight
5.1 - 10.0	Medium	Yellow	Remediation within 90 days; management oversight
1.0 - 5.0	Low	Green	Monitor; annual review

8. ROLES AND RESPONSIBILITIES

Role	Responsibilities
Chief Compliance Officer	Owns methodology; coordinates assessment; reports to Board/Audit Committee
CISO (DFS-regulated)	Cybersecurity risk assessment per 23 NYCRR 500; annual Board reporting
General Counsel	Legal review; regulatory obligation analysis
Domain Risk Owners	Provide inputs; own controls; execute remediation
Internal Audit	Independent testing and validation
Board / Audit Committee	Review and approve results; oversee remediation

9. DATA SOURCES AND INPUTS

☐ Incident reports, complaints, and hotline data
☐ Regulatory examinations, inquiries, and enforcement actions (NY AG, DFS, DHR)
☐ Internal and external audit findings
☐ Penetration test and vulnerability assessment results (DFS-regulated)
☐ Product/service changes and new market entries
☐ Vendor risk assessments and due diligence
☐ KRIs and metrics dashboards
☐ Loss events and litigation history
☐ NY-specific regulatory updates (DFS bulletins, AG enforcement, NYC local laws)

10. NEW YORK-SPECIFIC RISK CATEGORIES

10.1 Data Privacy and Cybersecurity Risks

Risk ID	Risk Description	Key Requirements
PRIV-NY-01	SHIELD Act security controls incomplete	N.Y. Gen. Bus. Law 899-bb -- reasonable administrative, technical, physical safeguards
PRIV-NY-02	Breach notification process deficiencies	N.Y. Gen. Bus. Law 899-aa -- expedient notification; AG/DFS/State Police notice if 500+
CYBR-NY-01	DFS cybersecurity regulation non-compliance	23 NYCRR 500 -- written policy, CISO, penetration testing, risk assessment, MFA, encryption
CYBR-NY-02	DFS third-party service provider security gaps	23 NYCRR 500.11 -- written policies for third-party providers; due diligence; contractual protections
CYBR-NY-03	DFS annual Board certification gaps	23 NYCRR 500.17 -- annual certification of compliance to DFS Superintendent

10.2 Employment and EEO Risks

Risk ID	Risk Description	Key Requirements
EMPL-NY-01	NY Human Rights Law discrimination claims	N.Y. Exec. Law 296 -- broad protected classes; no damages cap
EMPL-NY-02	Sexual harassment prevention deficiencies	N.Y. Lab. Law 201-g -- annual training; compliant policy required
EMPL-NY-03	NYC AEDT bias audit gaps (if applicable)	NYC Local Law 144 -- bias audit required for AI hiring tools; notice to candidates
EMPL-NY-04	Pay transparency non-compliance	NY Lab. Law 194-b -- pay range disclosure in job postings (effective 2023)

10.3 Consumer Protection Risks

Risk ID	Risk Description	Key Requirements
CONS-NY-01	GBL 349 deceptive practices exposure	N.Y. Gen. Bus. Law 349 -- private right of action; $50 minimum statutory damages
CONS-NY-02	False advertising claims	N.Y. Gen. Bus. Law 350 -- treble damages available

10.4 Financial Services Risks (DFS-Regulated Entities)

Risk ID	Risk Description	Key Requirements
FINC-NY-01	DFS licensing and compliance gaps	Banking Law, Insurance Law (NY-specific)
FINC-NY-02	BSA/AML program deficiencies (NY nexus)	23 NYCRR Part 504 (Transaction Monitoring)

11. RISK ASSESSMENT MATRIX

Risk ID	Description	Owner	Inh. L	Inh. I	Inh. Score	Control Eff.	Residual	Rating	Trend	Regulator	Evidence/Notes	Remediation & Date	Status
PRIV-NY-01	SHIELD Act security controls gaps	Security	4	4	16	2	12.8	High	Up	NY AG	Risk assessment not updated; access reviews overdue; vendor security not contractually required	Update safeguards; complete assessment by [__/__/____]	☐ Open
CYBR-NY-01	DFS 500 non-compliance (MFA, encryption)	CISO	4	5	20	3	12.0	High	Up	DFS	MFA not deployed for all covered systems; encryption gaps in data at rest	Deploy MFA; remediate encryption by [__/__/____]	☐ Open
EMPL-NY-02	Sexual harassment training gaps	HR	3	3	9	3	5.4	Medium	Stable	NY DHR	10% of employees not trained within annual cycle	Implement automated tracking; complete training by [__/__/____]	☐ Open
EMPL-NY-03	NYC AEDT bias audit missing	HR/Legal	3	4	12	2	9.6	Medium	Up	NYC DCWP	No independent audit on file; candidate notice not published	Engage auditor; publish notice by [__/__/____]	☐ Open
CONS-NY-01	GBL 349 deceptive practices exposure	Legal	2	3	6	4	2.4	Low	Stable	NY AG	Recent legal review found no open claims; advertising reviewed quarterly	Continue monitoring	☐ Monitored

Add additional rows for each identified risk.

12. HEAT MAP AND PRIORITIZATION

12.1 Risk Heat Map

IMPACT
  5 |  5   10  [15] [20] [25]
  4 |  4    8  [12] [16] [20]
  3 |  3    6    9  [12] [15]
  2 |  2    4    6    8   10
  1 |  1    2    3    4    5
    +----------------------------
       1    2    3    4    5
                LIKELIHOOD

12.2 Top Risks

Rank	Risk ID	Residual Score	Rating	Remediation Deadline
1	[____]	[____]	[________]	[__/__/____]
2	[____]	[____]	[________]	[__/__/____]
3	[____]	[____]	[________]	[__/__/____]
4	[____]	[____]	[________]	[__/__/____]
5	[____]	[____]	[________]	[__/__/____]

13. REMEDIATION PLANNING

Field	Entry
Risk ID	[____]
Risk Description	[________________________________]
Current Residual Score	[____]
Remediation Action(s)	[________________________________]
Action Owner	[________________________________]
Target Completion Date	[__/__/____]
Target Residual Score	[____]
Success Metrics	[________________________________]
Status	☐ Not Started ☐ In Progress ☐ Completed ☐ Deferred

14. DELIVERABLES AND OUTPUTS

☐ Completed Risk Assessment Matrix
☐ Heat map visualization
☐ Top risks list with executive summary
☐ Remediation plans for High and Critical risks
☐ DFS annual certification documentation (if applicable)
☐ Board/Audit Committee summary
☐ KRI dashboard

15. REVIEW CADENCE AND TRIGGERS

Annual Full Assessment: Q1 of each fiscal year
DFS-Regulated: Annual cybersecurity risk assessment per 23 NYCRR 500.09
Quarterly KRI Reviews
Interim Triggers: Regulatory inquiry, data breach, new legislation, M&A, control failure, peer enforcement action, whistleblower report

16. GOVERNANCE AND OVERSIGHT

Assessment Owner: Chief Compliance Officer (and CISO for cybersecurity components)
Review Authority: General Counsel and Audit Committee
Confidentiality: Subject to attorney-client privilege. Distribution approved by General Counsel.

APPENDIX A: DEFINITIONS

Inherent Risk: Risk level before controls
Control Effectiveness: Degree to which controls mitigate risk
Residual Risk: Risk after controls
KRI: Key Risk Indicator
Risk Appetite: Acceptable risk level
Risk Velocity: Speed of risk materialization

APPENDIX B: NEW YORK REGULATORY RISK INVENTORY

Regulatory Area	Key Statute/Regulation	Enforcing Agency	Last Assessment	Risk ID(s)
Data Security	SHIELD Act (GBL 899-aa, 899-bb)	NY AG	[__/__/____]	PRIV-NY-01, PRIV-NY-02
Cybersecurity	23 NYCRR Part 500	DFS	[__/__/____]	CYBR-NY-01 to CYBR-NY-03
Employment	NY Human Rights Law (Exec. Law 296)	NY DHR	[__/__/____]	EMPL-NY-01
Harassment Prevention	NY Lab. Law 201-g	NY DHR	[__/__/____]	EMPL-NY-02
AI in Hiring (NYC)	NYC Local Law 144	NYC DCWP	[__/__/____]	EMPL-NY-03
Consumer Protection	GBL 349, 350	NY AG	[__/__/____]	CONS-NY-01, CONS-NY-02
Financial Services	Banking Law, Insurance Law, 23 NYCRR 504	DFS	[__/__/____]	FINC-NY-01, FINC-NY-02
Whistleblower	NY Lab. Law 740	Courts	[__/__/____]	N/A (cross-cutting)

SOURCES AND REFERENCES

U.S. Sentencing Guidelines 8B2.1 -- https://guidelines.ussc.gov/
DOJ Evaluation of Corporate Compliance Programs (Sept. 2024) -- https://www.justice.gov/criminal/criminal-fraud/page/file/937501
COSO ERM Framework (2017) -- https://www.coso.org/erm-framework
NY SHIELD Act (N.Y. Gen. Bus. Law 899-aa, 899-bb) -- https://www.nysenate.gov/legislation/laws/GBS/899-BB
23 NYCRR Part 500 (DFS Cybersecurity) -- https://www.dfs.ny.gov/industry_guidance/cybersecurity
N.Y. Gen. Bus. Law 349, 350
N.Y. Exec. Law 296 (Human Rights Law)
N.Y. Lab. Law 201-g, 740
NYC Local Law 144 (AEDT)
NY Commission on Ethics and Lobbying in Government -- https://ethics.ny.gov/

This document is a template provided for informational purposes only and does not constitute legal advice. It must be reviewed and customized by a qualified attorney licensed in New York before implementation.

Ezel AI

Hi! Need help customizing this document? I can tailor every section to your specific case in minutes.

AI Legal Assistant

Ezel AI

Hi! Need help customizing this document? I can tailor every section to your specific case in minutes.

Insert Image

Insert Table

Need to customize this document?

About This Template

Compliance documents are what regulated businesses use to prove they follow the rules that apply to their industry, whether that is privacy, anti-money-laundering, consumer protection, or sector-specific requirements. Regulators look for consistent policies, up-to-date records, and clear evidence of employee training. The cost of getting compliance paperwork right is almost always smaller than the cost of an enforcement action, fine, or public disclosure.

Important Notice

This template is provided for informational purposes. It is not legal advice. We recommend having an attorney review any legal document before signing, especially for high-value or complex matters.

Last updated: April 2026

Compliance Risk Assessment Matrix - New York